Ross A. Baker on Nostr: We had a vulnerable dependency affecting versions `< 9.4.54` and patched it with ...
We had a vulnerable dependency affecting versions `< 9.4.54` and patched it with `9.4.54.v20240208`. The CVE is declared in the Maven ecosystem, and while this version is correct according to Maven's rules [^1], it does not satisfy the predicate according to SemVer [^2], and the vulnerability scan continues to fire.
[^1]: https://maven.apache.org/ref/3.9.9/maven-artifact/apidocs/org/apache/maven/artifact/versioning/ComparableVersion.html
[^2] : https://semver.org/#spec-item-11
#GitHubSecurity #SemVer
[^1]: https://maven.apache.org/ref/3.9.9/maven-artifact/apidocs/org/apache/maven/artifact/versioning/ComparableVersion.html
[^2] : https://semver.org/#spec-item-11
#GitHubSecurity #SemVer